Cybersecurity Maturity Model Certification 2.0

Author photo: Daniel Keyser
By Daniel Keyser

Keywords: CMMC, NIST, Defense Industrial Base, Federal Cybersecurity, Cybersecurity Maturity Model Certification, NIST 800-53 Rev. 5, NIST 800-171 Rev. 2, NIST 800-172, National Institute of Standards and Technology, ARC Advisory Group.


The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a Department of Defense (DoD) certification verifying that an organization within the Defense Industrial Base is making best possible practice in the securement of Controlled Unclassified Information (CUI). CMMC 2.0 follows in the path of CMMC 1.0, and further attempts are being made by the US to secure their information from an increased threat of cyber espionage, especially of mission critical information used to create and manufacture systems vital to the national defense.  However, CMMC fills a specific niche, and sees itself as a certification program founded out of specific standards from 800-171 rev. 2, 800-172, and 800-53 rev. 5, which intermesh with the certification model. CMMC is focused specifically on the security of CUI, and not Industrial Control Systems and OT security. CMMC falls strictly to the IT security side of the equation and towards the control of sensitive information.

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification is a requirement for working within the Defense Industrial Base framework to better protect the national interest, ingenuity, and intellectual property, of American companies against outside threats from state aligned actors, non-state actors, and individuals looking for high value attacks of opportunity. CMMC may be thought of as a cyber hygiene model concerned with protecting information.

The Cybersecurity Maturity Model Certification was originally established in September of 2020 by the Department of Defense and outlined the basic framework as focusing on a tiered system, requiring assessment, and implementing through contracts, with an initial phase in a period of five years. In November of 2021, following public comments in response to the creation and initial Cybersecurity Maturity Model Certification process, new goals and a new ranking structure was established to bring the model up to the 2.0 designation it now sits at. The transition from 1.0 to 2.0 saw a change from a five-tier system to a three-tier system, with cyber hygiene evaluated by self-assessment, and then triennial government assessment at the highest level, with the middle level having some government assessment included.

NIST 800-53 Rev. 5, NIST 800-171 Rev. 2, and NIST 800-172

CMMC 2.0 includes standard practices and procedures adopted from specific technical standards, in this case, specifically the NIST 800 series standard practices. NIST, or the National Institute of Standards and Technology, has created specific standards for cybersecurity that the US government and its entities must adhere to. Companies working with those entities, including companies manufacturing something deemed to be part of the national defense or aligning themselves with the Defense Industrial Base (DIB).

The baseline for federal cybersecurity standards is set up in NIST SP 800-53, currently updated to revision 5. Revision 5 also took things a step further, omitting “federal” to set the standard for US based companies for ideal baseline cybersecurity measures for their organizations. All US federal agencies and contractors working with the US Government must adhere to this certification, however this certification is open to any company to use as their guiding standard. Where CMMC 2.0 comes into this equation is an understanding that at the baseline NIST SP 800-53 rev. 5 is already implemented into an organization’s guiding standards before progressing up the CMMC 2.0 tiers.

Cybersecurity Maturity Model Certification

The specific NIST standards utilized and mentioned in CMMC 2.0 are NIST 800-171 rev. 2, and NIST 800-172. NIST 800-171 specifically deals with the protection of Controlled Unclassified Information, specifically detailing:  

  • How to protect media, both digital and physical
  • Limit access to CUI on systems to authorized users
  • Sanitize or destroy media containing CUI before disposal
  • Mark CUI as CUI
  • Implement cryptographic measures necessary to protect CUI
  • Control the use of removable media (learning from Stuxnet)
  • Prohibit the use of portable storage devices not authorized to a specific owner
  • Protect the confidentiality of and backup of CUI storage locations



ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Obtain more ARC In-depth Research at Market Analysis

Learn more about ARC Strategic Services at Advisory Services for Industry Leaders 


Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients